Some New Software Security Tools for Web Developers – (CTP Releases)

Curphey here…..(follow me on Twitter @curphey if you want the breaking news!)

My wife keeps telling me I work too much. Maybe I do, maybe I don’t but if I do I am not alone. Some folks on my team have been doing some super-human stuff and we are ready to share some early preview releases with y’all. Let’s call this Anti-patch Tuesday (assuming I get to post this before mid-night tonight)!

CAT.NET 2.0 CTP – CAT.NET is being re-written from the ground up. The original tainted data analysis algorithm has now been ported to the Phoenix compiler infrastructure, along with a shiny new configuration rules engine that look in the *.config for common security mis-configurations. This CTP is a command line only single-pass data flow engine and configuration rules engine. Over the coming few month or so we will work to scale the core engine and fully integrate the tool into the Code Analysis menu of Visual Studio 2010. When Visual Studio 2010 ship the tool will be released as a power Tool free to licensed users of Visual Studio.

WACA 1.0 CTP – Web Application Configuration Analyzer – WACA is built on the Best Practice analyzers and shares the same configuration setting rules as CAT.NET 2.0. WACA is designed to scan your development environment against best practices for .NET security configuration, IIS settings, SQL Server Security best practices and some Windows permission settings. It includes

If you think of rules you would like to see you can always let us know via the Connect site. No promises but we will promise to consider them all.

WPL 1.0 CTP – Web Protection Library – For a while we have been building and shipping the Anti-XSS library and have been working on broader mitigations for common web application security issues beyond XSS. The WPL will act as an umbrella for several libraries and runtime modules including Anti-XSS that provide coverage for issues such as SQL Injection and CSRF as well as enforcing security settings such as SSL and HTTP_ONLY cookies. We have worked hard to make the developer experience similar to that of EntLib with a configuration utility that runs inside of Visual Studio. We expect a first release of WPL early in 2010. This CTP includes the SQL Injection protection module. Using the Security Runtime Engine you can now install the technology on your IIS servers and provide reasonable runtime protection against XSS and SQLi without any code changes. We know that it won’t catch everything but testing and experience has shown it provides a solid level of coverage against many scenarios found in the real world. Get more details on WPL in a recent video, “Enhanced Web Protection Library” where RV talks about the expansion of what used to be the Anti-XSS Library.

To download these tools for free you will need to register on our Connect site. This helps us track the number of downloads and Connect provides a way for you to submit CR’s and bugs directly to the development team.

We hope you enjoy the tools as much as we enjoy creating them. If you use them please let us know. Buy us beer at conferences (indeed invite us to speak at your security conferences and then buy us beer), send us “cube toys” and trinkets to put in our offices or just tell us how much you like our work in the comments section 😉

– Curphey

PS – To my super-human team – Just cause I am sometimes grumpy doesn’t mean I am not in awe of your amazing work. I just get beaten too often on the foos-ball table to be happy all day! You all know who you are, I am super proud and honored to work with y’all. Now go get some sleep before the next sprints start!

Please make sure you have subscribed to the CAT.NET or WPL or WACA program to download the appropriate build. We have also opened it up to registered users now. But in order to submit feedback you have to be part of the program.

Great news! You guys really make a great effort of providing us with these tools in a very short time.

I am really interested to get my hands on the new cat.net tool so see if this performs better than the 1.0 version. I applied but my status is still pending so I can’t download the software. Is this because it is still not available?